Android vulnerability affects 99 percent of devices according to mobile security firm
Last week, security researchers announced a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it.
Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it. According to reports as many as 900 million Android phones sold over the past 4 years could be exploited.
The vulnerability - known in some quarters as the ‘master key’ vulnerability - has attracted considerable media attention, but it has not always been accurately reported, states a press release from Trend Micro Mobile Security. Below the company details what according to them, is going on and what the threat is.
What’s this “master key” vulnerability?
The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.
This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.Note that technically, there is no ‘master key’ that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no ‘master key’ in the first place.
What are the risks?
This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with much permission - like those from the phone’s manufacturer or the user’s service provider - are at particular risk.
Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.
Google has made some steps to protect users, explains the press release. They have modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat. The company also released a fix for the vulnerability and distributed it among original equipment manufacturers. Hopefully, the importance of this update will prevent delays in its deployment